digg

Facebook Connect Join Digg About
See the original image at news.zdnet.co.uk

Web-based malware on legit sites soars

news.zdnet.co.uk Study found 68 percent of all internet-based malware was now being hosted on legitimate sites. "The compromise techniques being used now allow hackers to quickly 'colonise' thousands of legitimate sites, from big brand-name sites, to smaller but equally legitimate sites,"

Who dugg this? Made popular Jun 8, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

98 Comments

show profanity settings
expand all
  • inkswamp, on 06/08/2008, -2/+56So ZDNet posts a scary sounding story citing as their only evidence a report produced by ScanSafe, a company that provides Web security services for large organizations.

    Gee, thanks for the advertisement disguised as a legitimate article, ZDNet.
  • brazen521, on 06/08/2008, -0/+44What does the confused old guy have to do with anything?
  • twishart, on 06/08/2008, -1/+35Well, as long as those hackers can't turn my home computer into a bomb and blow my family to smithereens.
  • Askee, on 06/08/2008, -1/+35They can't hack me, I have Norton!...

    ...What?
  • inactive, on 06/08/2008, -0/+27http://img246.imageshack.us/img246/7734/21cs1.jpg
    http://img185.imageshack.us/img185/5159/221po0.jpg
    http://img185.imageshack.us/img185/8601/23em6.jpg
  • Surferess, on 06/07/2008, -1/+27Sometimes, I worry about some Digg stories getting infected.
  • crownedgriffin, on 06/08/2008, -1/+18Lol. I was visiting my Dad the other day and downloaded the free version of Ad Aware and removed a ton of crap from his computer. He was really pissed that his $70/year Norton didn't catch any of it.
  • netdroid9, on 06/08/2008, -0/+12Haven't you seen Diehard 4?!
  • waydee, on 06/08/2008, -2/+13All I have to say is that I'm glad I've got common sense and firefox.
  • MacBookForMe, on 06/07/2008, -3/+12I am sure they are ...some of them (with Ideology):
  • kurupt, on 06/08/2008, -0/+9They're one of many sites on the web that are reporting on this. Maybe not with a figure in terms of percentages but, other sites have documented this, including people who are independent security researchers. Most of them are in the realm of security services because that's what they're tasked to do - keep up with the latest trends in Malware and try to find a way to safeguard against it.
  • jakobmakob, on 06/08/2008, -0/+9In other news, visitors to this story are all victims to web-based malware.
  • Stalks, on 06/08/2008, -0/+7How will a browser be effective against server-side exploits. Idiot.
  • jcaino, on 06/08/2008, -1/+8the problem is people writ code - then they don't update it, check it for validation, etc, or set poor permissions on folders. i see a lot of these cases, and most of the problems could be solved by the webmaster just being a bit more on the ball. especially with wordpress and other widely available software packages that people -think- are install and forget (nothing against wordpress, just an example)
  • Myztry, on 06/08/2008, -3/+9Malware isn't really a problem unless you're running Microsoft Windows. The problem is too many people suffer from that genuine disadvantage.
  • kurupt, on 06/08/2008, -0/+6Actually, this isn't some sort of FUD. Sites are being infected through an SQL injection. It's been on-going for a few months now (nihaorr1 was one of the first ones found during the middle of April). The folks at ShadowServer have been keeping a repository of sites that are involved in the attacks - http://www.shadowserver.org/wiki/pmwiki.php?n=Cale ...

    I check these out periodically and one of the recent sites I found infected was Dr. Drew's (of Loveline fame) page: drdrew[dot]com

    Searching for this site through google prompts you with a "This site may harm your computer" link. Also, beware that your browser may use 'prefetch' which could infect your system.

    Your safest bet is to make sure you've got NoScript installed in your Firefox Add-ons. A lot of these are javascript injections (a handful of the recent ones I've seen are .asp) which write IFRAMEs into the page linking to the list of sites found in the ShadowServer report.
  • inactive, on 06/08/2008, -0/+6remember in the old days when you had that plastic cover you placed over your computer to protect it? That works like a computer condom, why do you think there werent many worms, and they didnt infect home systems generally, malware was all but non-existant back then.

    Computers got cheap and will interface with other computers without using those covers, so its no suprise really.
  • Dokument, on 06/08/2008, -3/+9mrbabyman... trojan... coincidence? i think not.
  • crownedgriffin, on 06/08/2008, -1/+6Obligatory: Digg has ads?
  • taikahn, on 06/08/2008, -3/+8FUD, fluff and zdnet oh my!
  • inactive, on 06/08/2008, -1/+6Hardly a police state, troll somewhere else...
  • j0nnyDiGITAL, on 06/08/2008, -0/+5Waait how did you type this comment then?

    DOES NOT COMPUTE
  • zadadka, on 06/08/2008, -0/+4The same mentality that causes children to throw stones at bus shelter windows etc.
    Which is why they're called "script-kiddies",
  • Murdats, on 06/08/2008, -0/+4russian mafiaa and the like.
  • n3tfury, on 06/08/2008, -2/+6i have windows and i don't concern myself with viruses or malware because i have half a peanut in my cranial turret.
  • kurupt, on 06/08/2008, -0/+4FYI: For those wondering about a "legitimate" site being infected, here is Google's Safe Browsing diagnosis for Dr. Drew's site:
    http://www.google.com/safebrowsing/diagnostic?site ...

    Shows three sites that were inserted onto Dr. Drew's site via SQL injection.

    Another one:

    http://www.google.com/safebrowsing/diagnostic?site ...

    This was infected by nihaorr1[dot]com. A lot of the sites that have been infected aren't being caught by Google's Safe Browsing (with prefetch OFF (about:config in your browser, search prefetch), try googling nihaorr1[dot]com/1.js and check out all the sites that show up.)
  • gioma1, on 06/08/2008, -0/+4NoScript will protect you even if the compromised site is in your whitelist.

    Most attacks (all the ones we could see in the wild so far) include their malicious payload from 3rd party sites (often hosted on Chinese servers), because hosting the payload directly on a "legit" site would be many times more difficult than performing a simple SQL injection.
    Those 3rd party malware-serving hosts are very unlikely to be in your whitelist, even if you trust the main compromised site, therefore NoScript is an effective protection.

    See http://hackademix.net/2008/05/28/unpatched-flash-v ... for an example.
  • majordanger, on 06/08/2008, -0/+3Just typing that nihaorr... website into the google search lit up the AVG malware detector.
    I will now return to the fetal position and continue shivering in fear.
  • jcaino, on 06/08/2008, -0/+3there's a lot more accounts out there on shared-hosting than on dedicated.

    and it still isn't a good idea on dedicated-hosting either. having world-writable directories means that if one script gets exploited, an attacker can put files anywhere that's world-writable.

    777 permissions are never a good idea.
  • duckyinc, on 06/08/2008, -0/+3I want all dumb people executed immediately
  • unluckier, on 06/08/2008, -0/+3Web browsers today just aren't set up to be secure by default. But you can lock them down to be safer. The ideal setup is to install NoScript, as others have suggested, but make sure that you go into the options to lock down things like IFRAMEs and other plug-ins. Requiring a click for these items to work is a reasonable trade-off vs. the fear of getting owned when visiting a web site. Plus, it'll have the side-effect of blocking most ads!

    More details here:
    http://www.cert.org/tech_tips/securing_browser/
  • AzureRise, on 06/08/2008, -0/+3Nuh uh, Russian mafia kill spammers and the like. They're sick of Viagra e-mails telling them their penises are too small.
  • drakia, on 06/08/2008, -0/+3Why does everybody say settings "poor permissions" on files lets your site get hacked? If you're on shared hosting, yeah, it's a bad idea, but on a dedicated server you don't even need to worry about it, since only you have access to the server anyways...
  • jp12380, on 06/08/2008, -0/+3Must install Active x object, well... ok.
  • parax, on 06/08/2008, -0/+3It's easy, you just use analognet. You type out your message on a typewriter and mail it to a company who posts to the internet for you. Then they mail you back a print out of the internet (well, only the pages that have changed since your last letter, you use your compiled library of documents as a cache)
  • gioma1, on 06/08/2008, -0/+3Here's the info you're after:

    http://hackademix.net/2008/04/26/mass-attack-faq/
  • iDgg, on 06/08/2008, -1/+4that was so fcking short
  • zadadka, on 06/08/2008, -1/+4"Just because you're paranoid doesn't mean to say the world ISN'T out to get you".
  • santaliqueur, on 06/08/2008, -4/+7You'll be dugg down as far as can be, but I agree with you. I don't miss worrying about malware.
  • nielkie, on 06/08/2008, -0/+3It was sent by pigeon.
  • Stavrosian, on 06/08/2008, -0/+2I can tell you that this sort of problem has affected several legitimate MMORPG-related websites, with an awful lot of Final Fantasy XI accounts being compromised owing to malicious code inserted onto somepage.com and, I believe, ffxiclopedia.org. Both of those websites are long-standing and very trusted by the in-game community.

    If it's happening with something so trivial as game accounts, each of which might be worth a few hundred dollars maximum, I wouldn't be surprised to find it happening on a bigger stage.
  • kurupt, on 06/08/2008, -0/+2Install NoScript for Firefox. I believe that's the best thing most people can do because there are a slew of new SQL injection sites getting posted regularly. You can try to rely on vendors keeping up to date with these sites but, some of them might not be on top of their games and be able to get a site listed before it gets to you.
  • inkswamp, on 06/08/2008, -0/+2I have a background in the news industry and I can assure you that that doesn't matter. ZDNet citing only this source gives off an appearance of impropriety. That's journalism 101. I found this article suspect because it didn't list or describe a single security issue so I did a search for the ScanSafe report they allude to and found out who ScanSafe was. My next question would be whether or not ScanSafe provides services to ZDNet and whether or not there is a quid pro quo going on here for the apparent free advertising.

    Don't you wonder why ZDNet didn't cite other sources for this information? Traditionally, a journalist is supposed to cite at least two independent sources before passing along information anyway. The lack of multiple sources looks odd.
  • OmegaWolf, on 06/08/2008, -0/+2In other words, even only going to legit sites is no guarantee of safety. Well, this certainly sucks.
  • forthex, on 06/08/2008, -0/+2Can we seriously consider MediaDefender's anti-piracy measures malware after that whole debacle with Revision3?
  • bradleyland, on 06/10/2008, -0/+2I've proposed Ubuntu to a few of my customers (where it would be appropriate), but most small/medium sized business owners are uninterested in charting new territory, regardless of the number of companies I cite that use Linux.
  • jrbrewin, on 06/08/2008, -0/+2most of these exploits are using sql injections to get on to the site, not a simple http put.
  • kurupt, on 06/08/2008, -0/+2These sets of attacks are unrelated to the example you gave. Legitimate sites are being compromised and therefore people are unknowingly being infected.
  • kurupt, on 06/08/2008, -0/+2Two examples: A United Nations site, UK Government website
    http://securitylabs.websense.com/content/Alerts/30 ...
  • bradleyland, on 06/08/2008, -0/+2I can vouch for seeing this "in the trenches", so to speak. I have a small consultancy with 40 small to mid sized businesses. Malware infections used to be the kind of thing that only showed up on the computers of certain types of workers. It was always either women who didn't understand why they weren't supposed to install that cute cursor thingy they saw on myspace, or guys who were visiting the internet red-light district on lunch.

    I've seen a huge relative increase in the number of people who are infected that are normally hassle free users. I've even identified several of the infection sources, and they were all "legitimate" websites owned by other small businesses that don't pay much attention to their website. Most are infected by some third-party, crap-ass java rollover/weather/quote of the day/etc add-on that their "$150 per page" website developer charged them an extra $25 for. The web developer didn't bother to copy the component to the customer's web server, they just copied and pasted some snippet of code that links back to the provider. The malware writers seem to be targeting just these types of components.

    Add this to the list of reasons for hiring a competent web developer.
  • Fetching more discussions...
    Show 51 - 100 of 100 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.